An iOS security researcher has released what he claims to be an unpatchable ‘public bootrom’ exploit that affects hundreds of millions of iOS devices. Named checkm8, it allegedly works on iPhones 4S to X, letting attackers decrypt keybags with AES engine, dump SecureROM, and demote the device to enable JTAG.
Developer axi0mX discovered the flaw and released it to aid the jailbreak community. Thankfully, the attack can not be triggered remotely, but it could be used as a tool to gain a degree of control over a phone that doesn’t belong to an attacker.
As axi0mX mentions, though, the biggest interest may be to the jailbreaking community. Jailbreaking an iPhone refers to the practice of using a chain of exploits to let a user modify a device beyond what Apple intended. Until today, the last phone with a public bootrom exploit available was the iPhone 4.
Currently, the ‘ipwndfu’ tool released by the dev isn’t focused on a full jailbreak, however. It doesn’t integrate non-official AppStore Cydia yet and is primarily focused on aiding the security community. The Microsoft GitHub-hosted tool currently holds the following features:
- “Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit. 🙂
- Pwned DFU Mode with steaks4uce exploit for S5L8720 devices.
- Pwned DFU Mode with limera1n exploit for S5L8920/S5L8922 devices.
- Pwned DFU Mode with SHAtter exploit for S5L8930 devices.
- Dump SecureROM on S5L8920/S5L8922/S5L8930 devices.
- Dump NOR on S5L8920 devices.
- Flash NOR on S5L8920 devices.
- Encrypt or decrypt hex data on a connected device in pwned DFU Mode using its GID or UID key.”
Apple is yet to respond to requests for comment on this developing story. iOS was recently hit by the same Exodus spyware as Android. In late August, Google Project Zero revealed that iOS devices have been vulnerable to a string of zero-day exploits for two years.